MALICIOUS
118
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.001 Malicious Link
The PDF file contains embedded JavaScript that utilizes the 'eval()' function and the CVE-2009-0927 vulnerability (Collab.getIcon). The JavaScript is heavily obfuscated but appears to be designed to download and execute a second-stage payload. The presence of multiple obfuscated JavaScript streams and the specific exploit trigger strongly suggest a malicious intent to compromise the user's system.
Heuristics 5
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj111711_000.js12844a1d14fa49fc5f4f1207b0225e7816e1a757e656731521187a2bd8f0811c |
pdf-javascript-stream | PDF /JS object 111711 at offset 0x18E | 3756 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
|
|||
javascript_obj111712_001.js123967dd4c6556d7ec6823b534dff18f2bdc3d22822d0825477665650da51f6a |
pdf-javascript-stream | PDF /JS object 111712 at offset 0x1070 | 15431 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
javascript_obj111713_002.js6c8e543137096c1dba32173624a9552dd45df246a895709b7e476b22a2859536 |
pdf-javascript-stream | PDF /JS object 111713 at offset 0x4CED | 1627 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_000.js278bc3f145d885c4e0d181d486326257c0f56a947a5d16529f970de5c9e47086 |
deobfuscated-js | double percent-decoded annotation JavaScript at offset 0x1070 | 13917 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_001.jsf89df567ac1524aa97d7d1c2e318640fc4fa1525d608905c9904da2f1b756863 |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0x1070 | 1520 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
legacy_pdfkit_stage_002.jsfb9a16a620d2e5ae8e0e91b2b12106ca1aa4708ffab18d966fcbfae502dae74c |
deobfuscated-js | multi-marker percent-array decoded JavaScript at offset 0x4CED | 107 bytes |
legacy_pdfkit_stage_003.js9031e625ca5a456e567086a7bc0ce529279e2e4d2651d9376a111ba497bf7735 |
deobfuscated-js | multi-marker percent-array combined decoded JavaScript at offset 0x1070 | 1628 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.